>Yes, we're using SMP. So users have to authenticate every time the SMP session expires? And this is not limited to SAML?
As long as there is no valid IDP session user has to authenticate again. This is only the case when using SAML, because here SMP does not really authenticate the user, it will only check and accept the SAML assertion ticket. In other scenarios, e.g. when using user and password based authentication at SMP, these credentials are stored in a secure data vault inside the app, so that the user only has to provide his credentials on first app start (onboarding).
I do not recommend increasing the SMP session timeout, due to following reasons
1) Security (Session Timeout is a security mechanism)
2) Performance (Each open session requires memory on the server)
3) General Impact (The timeout parameter is general, thus all sessions are getting extended, also the session of smpAdmin when logging into the Management Cockpit.
>We really thought authentication only happens during user onboarding/registration. I guess we were wrong about that.
Of course authentication is (and should) always happening when contacting the SMP server. SMP will check if a valid session is available, if yes, session is used, if not, authentication is taking place as defined inside the security profile. Usually, if using LogonManager (which is part of FioriClient) authentication should take place in the background without user interaction (if app got onboarded and security and SSO is setup correctly), but in some cases, e.g. SAML this might not be possible.
Regards
Marvin
